https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings
From: Jeremiah Garmatter <[email protected]> Sent: Wednesday, August 19, 2020 12:27 PM To: CAS Community <[email protected]> Cc: King, Robert <[email protected]> Subject: Re: [cas-user] CAS 6.2 Password Policy Alright, I was able to track down a little more information on my organizations password policy. I'm now wondering if CAS 6.2 supports lppe configurations. On the old CAS server (3.5), there was an lppe-configuration.xml file allowing one to set the attributes lppe looked at to trigger password warnings. Is there an equivalent configuration file on 6.2? For reference, here is an example from our 5.3 lppe-configuration.xml file: <bean id="ldapPasswordPolicyEnforcer" class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer"> <property name="searchBase" value="${ldap.authentication.basedn}" /> <property name="contextSource" ref="contextSource" /> <property name="filter" value="${ldap.authentication.filter}" /> <property name="ignorePartialResultException" value="${ldap.authentication.ignorePartialResultException}" /> <property name="warnAll" value="${ldap.authentication.lppe.warnAll}" /> <property name="dateFormat" value="${ldap.authentication.lppe.dateFormat}" /> <property name="dateAttribute" value="${ldap.authentication.lppe.dateAttribute}" /> <property name="warningDaysAttribute" value="${ldap.authentication.lppe.warningDaysAttribute}" /> <property name="validDaysAttribute" value="${ldap.authentication.lppe.validDaysAttribute}" /> <property name="warningDays" value="${ldap.authentication.lppe.warningDays}" /> <property name="validDays" value="${ldap.authentication.lppe.validDays}" /> <property name="noWarnAttribute" value="${ldap.authentication.lppe.noWarnAttribute}" /> <property name="noWarnValues" value="${ldap.authentication.lppe.noWarnValues}" /> </bean> On Wednesday, August 5, 2020 at 9:54:18 AM UTC-4 [email protected]<mailto:[email protected]> wrote: Yes, it is defined in OpenLDAP. I would be surprised if this is not already setup on your existing directory. Guessing as to what CAS is doing… First search for user operational attributes pwdChangedTime and pwdPolicySubentry. Then a second search on the DN from pwdPolicySubentry. That should retrieve attribute pwdMaxAge. Then CAS would determine if the account is expiring inside the CAS defined warning days window and pop up the interruption screen to notify users as they login. From: [email protected] <[email protected]> On Behalf Of Jeremiah Garmatter Sent: Wednesday, August 5, 2020 10:30 AM To: [email protected] Subject: Re: [cas-user] CAS 6.2 Password Policy Robert, You are saying that password policy is defined within openldap itself and not within CAS? I'd prefer not to change any ldap configuration if that can be avoided. Is there no way to change the attribute checked for password expiration within CAS properties? -Jeremiah Garmatter, Systems Administrator -Ohio Northern University, Class of 2020 -Work: 419-772-1074<tel:(419)%20772-1074> Cell: 419-672-8685<tel:(419)%20672-8685> [email protected] On Tue, Aug 4, 2020 at 12:44 PM King, Robert <[email protected]> wrote: If you are using OpenLDAP 2.4 for your directory service: https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&manpath=OpenLDAP+2.4-Release&arch=default&format=html From: [email protected] <[email protected]> On Behalf Of Jeremiah Garmatter Sent: Tuesday, August 4, 2020 10:45 AM To: CAS Community <[email protected]> Subject: [cas-user] CAS 6.2 Password Policy Hello, I am having trouble understanding the password policy documentation for CAS 6.2.x. I use openldap as the ldap source. I would like to set up a policy that warns users of a password change at 60 days, 30 days, and forces a password change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm not sure how this system was set up (it was made by predecessors). Could somebody explain what this line means? "LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured LDAP attributes with default values in place." (found here: https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html) >From what I understand there is a predefined LDAP attribute that is checked >against the warning-days property and if it is under the day-count then a >warning message appears. Is this true? Also, what LDAP attribute is it checking against? Can this attribute be changed? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group. To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB0-%2B9DQvoSSQHvCCEpEr2bvwA_qsGji7rrJmgQLzsT77g%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/db7be93d29794179aabf1ded9b4cfd4b%40mun.ca.
